Bloomin' Brands, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Bloomin' Brands, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:06:46 EST.

Filings

10-K filed on 2026-02-25

Bloomin' Brands, Inc. filed a 10-K at 2026-02-25 16:06:46 EST
Accession Number: 0001546417-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a risk-based, defense-in-depth approach to cybersecurity and data protection. Our cybersecurity program is aligned with the National Institute of Standards and Technology Cybersecurity Framework and incorporates monitoring, vulnerability management, incident response planning and third-party security evaluations to identify and manage cybersecurity risks. We dedicate resources and apply security controls where we believe they would be most effective to predict, prevent, detect and respond to potential security threats to our highest value information assets, which we consider to be point-of-sale systems, financial systems and confidential, personal and private customer and employee information. We use multiple safeguards to protect our internal networks and systems, including, among others, firewalls, email protection and web filtering, endpoint detection and response software, controlled access to our data and systems, segmenting our card data environment, vulnerability management and patching. We engage independent third-party firms on a recurring basis to conduct cybersecurity audits that assess the effectiveness of our controls and identify areas for enhancement. In addition, we retain an external security firm each year to perform both internal and external penetration testing of our technology environment to evaluate the resilience of our systems against potential threats. Additionally, given that we accept credit cards as a form of payment, we consider the requirements of the Payment Card Industry Data Security Standards ("PCI DSS") as part of our cyber security risk management program. We implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities, and we investigate security incidents that have impacted our third-party providers, as appropriate. As part of our enterprise information security program, employees and contractors are required to participate in ongoing cybersecurity awareness activities, including role-based training, periodic refresher courses, and simulated phishing exercises designed to reinforce secure behaviors and identify areas for improvement. We also engage independent third-party cybersecurity firms to perform simulated cyberattack exercises to evaluate the design and operating effectiveness of our security controls. In addition, we retain external subject matter experts to conduct assessments of identity and access management, information technology asset management, and cybersecurity policies and standards to support continuous improvement of our cybersecurity risk management program. We have company-wide business continuity and disaster recovery plans used to prepare for multiple events, including a potential disruption in the technology on which we rely. We maintain incident response plans and playbooks in preparation for various contingencies and types of incidents. The cybersecurity incident response plan ("IRP") includes immediate actions to mitigate and contain the short-term impact of an incident, and long-term strategies for remediation and prevention of future incidents. The IRP also includes policies that dictate escalation procedures and remediation plans based on the severity level of an incident. As part of our IRP, we consider engaging third-party cybersecurity firms to assist in the event of a significant incident. We also conduct tabletop exercises to enhance incident response preparedness. We, like others in our industry, experience cybersecurity incidents and attempts to access our systems. In the event we experience an incident, we classify it based on its significance and track remediation actions and outcomes. We have invested in the protection of our data and information technology and monitor our systems on an ongoing basis, however, we cannot provide any assurance that we will not experience a material incident in the future. As of the date of this filing, we do not believe we have been materially affected or are reasonably likely to be materially BLOOMIN' BRANDS, INC. affected by cybersecurity incidents or threats. As described above, we utilize a risk-based approach to manage cybersecurity risk and it is possible we may not implement appropriate controls if we do not recognize or appropriately estimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. See Item 1A. Risk Factors for additional discussion of our cybersecurity risks. Governance Our Board of Directors (our "Board") has charged the Audit Committee with oversight of the Company's identification, assessment and management of cybersecurity and data privacy risks. The Audit Committee receives quarterly updates from our Chief Information Security Officer ("CISO") and our Chief Information Officer ("CIO") regarding our cybersecurity program and actions taken to manage cybersecurity risk, which include risk identification and management strategies, consumer data protection, security programs, ongoing risk mitigation activities and results of third-party assessments and testing. We maintain a dedicated cybersecurity team, which consists exclusively of Company employees, within our broader information technology department. Functions within this department range from new information technology solution design and implementation, vulnerability management, phishing awareness, threat detection, PCI DSS compliance and incident response. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO, who has over 25 years of experience in the field of cybersecurity, including prior service in the military in cybersecurity roles, and relevant industry certifications commensurate with his role. Our CISO reports directly to the CIO who has over 30 years of technology leadership experience in various industries. Our CIO receives updates from our cybersecurity department regularly and reports to our Chief Executive Officer, who receives updates on incidents, trends, projects and other relevant information regularly. In addition, as part of our incident response planning, we maintain cross-functional response teams to be prepared to respond to an incident.

Company Information